From 550f3e9df3410b3dd975e590042c0d83e20a8da3 Mon Sep 17 00:00:00 2001
From: Michael Niedermayer <michaelni@gmx.at>
Date: Sat, 4 Oct 2014 22:15:07 +0200
Subject: avcodec/on2avc: Check number of channels

Fixes out of array access
Fixes: asan_heap-oob_4da4f3_7_asan_heap-oob_4da4f3_173_Xmen_avc_500.vp6

Found-by: Mateusz "j00ru" Jurczyk and Gynvael Coldwind
Signed-off-by: Michael Niedermayer <michaelni@gmx.at>
---
 libavcodec/on2avc.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/libavcodec/on2avc.c b/libavcodec/on2avc.c
index ab6048b63e..e5e7cc3879 100644
--- a/libavcodec/on2avc.c
+++ b/libavcodec/on2avc.c
@@ -908,6 +908,11 @@ static av_cold int on2avc_decode_init(AVCodecContext *avctx)
     On2AVCContext *c = avctx->priv_data;
     int i;
 
+    if (avctx->channels > 2U) {
+        avpriv_request_sample(avctx, "Decoding more than 2 channels");
+        return AVERROR_PATCHWELCOME;
+    }
+
     c->avctx = avctx;
     avctx->sample_fmt     = AV_SAMPLE_FMT_FLTP;
     avctx->channel_layout = (avctx->channels == 2) ? AV_CH_LAYOUT_STEREO
-- 
cgit v1.2.3